[Announce] ANNOUNCE: strongswan-4.5.2 released

Andreas Steffen andreas.steffen at strongswan.org
Wed May 25 13:17:11 CEST 2011


Hi,
the strongSwan 4.5.2 release offers the following new features:

- The *whitelist* plugin for the IKEv2 daemon maintains an
    in-memory identity whitelist. Any connection attempt of peers
    not whitelisted will get rejected. The 'ipsec whitelist' utility
    provides a simple command line frontend for whitelist administration.

    http://wiki.strongswan.org/projects/strongswan/wiki/Whitelist

    http://www.strongswan.org/uml/testresults/ikev2/rw-whitelist/

- The *duplicheck* plugin provides a specialized form of duplicate
    checking, doing a liveness check on the old SA and optionally notify
    a third party application about detected duplicates.

    http://wiki.strongswan.org/projects/strongswan/wiki/Duplicheck

- The *coupling* plugin permanently couples two or more devices by
    limiting authentication to previously used certificates.

    http://wiki.strongswan.org/projects/strongswan/wiki/CertCoupling

- Duncan Salerno contributed the *eap-sim-pcsc* plugin implementing
    a pcsc-lite based SIM card backend.

- The *eap-peap3 plugin implements Microsoft's EAP PEAPv0 protocol.
    Interoperates successfully with a FreeRADIUS server and Windows 7
    Agile VPN clients.

    http://www.strongswan.org/uml/testresults/ikev2/rw-eap-peap-mschapv2/

- In the case that the peer config and child config don't have the
    same name (usually in SQL database defined connections),

      ipsec up|route <peer config>

    starts|routes all associated child configs and

      ipsec up|route <child config>

    only starts|routes the specific child config.

- The IKEv2 daemon charon rereads strongswan.conf on SIGHUP and
    instructs  all plugins to reload. Currently only the *eap-radius*
    and the *attr* plugins support configuration reloading.

- Added userland support to the IKEv2 daemon for Extended Sequence
    Numbers support coming with Linux 2.6.39. To enable ESN on a
    connection, add the 'esn' keyword to the proposal. The default
    proposal uses 32-bit sequence numbers only ('noesn'), and the same
    value is used if no ESN mode is specified. To negotiate ESN support
    with the peer, include both, e.g.

      esp=aes128-sha1-esn-noesn.

- In addition to ESN, Linux 2.6.39 gained support for replay windows
    larger than 32 packets. The new global strongswan.conf option

      charon.replay_window

    configures the size of the replay window, in packets.

- Linux 2.6.38 introduced the AF_ALG Crypto API which makes the
    crypto algorithms of the kernel available in userland. We have
    created a number of example scenario showing the use of the
    *af-alg* plugin for IKEv1

    http://www.strongswan.org/uml/testresults/af-alg-ikev1/index.html

    and IKEv2

    http://www.strongswan.org/uml/testresults/af-alg-ikev2/index.html

    An updated overview on strongSwan's crypto options can be found
    on our wiki:

    http://wiki.strongswan.org/projects/strongswan/wiki/IKEv1CipherSuites

    http://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites

Best regards

Andreas Steffen, Martin Willi, Tobias Brunner

The strongSwan Team

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==



More information about the Announce mailing list